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ABSTRACT 


This paper demonstrates a nuclear reactor safety monitor incor- 
porating hard-wired, redundant, digital program modules that control 
independent, redundant, digital monitor modules. One monitor module 
is used for each parameter significant to reactor Safety. The charac- 
teristics of a proposed LIQUID METAL FAST BREEDER REACTOR 
are uSed as the reference performance criteria. The established cri- 
terion that a single failure must not prevent reactor shut down is used 
as the failure mode criterion. Within the program module, a pro- 
grammable read-only memory (PROM) is used for sequence control of 
another PROM containing variable length subroutines. The subroutine 
PROM outputs are used as photo-isolated logic outputs for sequence 
control of the various monitor modules. The program module action 
is modelled on a digital computer. A four-input digital monitor madule 
is developed. This module provides a shut down Signal if three of the 


inputs exceed the parameter limit. 
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Table Il. TABLE OF SYMBOLS 


An Event or Result 


Logical "OR" - Output occurs if 
any of the inputs occur. 


Logical "AND" - Qutput occurs only 
if all the inputs occur. 


> 
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Oo 

. oh 
Ow > 


QW > 





A Logical "NOT'' - Output of 
function is inverted. 


Basic Fault-The fault requires no 
further analysis. 


“B ( E 
Fault Basic to a Given Tree-The 
fault can be caused by even more 
basic failures. 


Transfer In-Preceeding events 
occur elsewhere on the fault tree. 


Transfer Out-The result of this 
event also effects another section 
of the fault tree. 
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I. INTRODUCTION 


The rapidly increasing electrical power demands in the United 
States and the resultant decreasing availability of natural fuels has 
caused a great demand by utility companies for nuclear powered gen- 
erating stations of any kind. This, in turn, has placed heavy demands 
on the nation's ability to process from natural ores the amounts of 
fissile (i.e., easily split by neutron interaction into by-products and 
excess high-energy neutrons) uranium and plutonium required to fuel 
the reactors. These are mostly light-water moderated, thermal 
reactors which operate at moderate temperatures (500-700 F} and use 
saturated steam to power the electric generators. Much larger but 
presently little used supplies of uranium, thorium, and plutonium are 
not easily fissionable in their natural state but do easily absorb neu- 
trons and become fissile materials suitable for reactor fuels. These 
materials are referred to as ‘fertile. '' 

During the 1960's a development program was instituted by the 
United States Atomic Energy Commission (AEC) to develop sodium 
cooled fast breeder reactor plants intended to convert fertile fuel into 
fissile fuel (breeding) in addition to supplying electricity. Since cool- 
ant temperatures are higher in this process, more efficient conversion 
of thermal energy into electrical energy is feasible also. The poten- 


tial result is enhanced availability of nuclear fuel, both by breeding 





and by increased plant efficiency. (See Appendix A, the introduction 
to the LIQUID METAL FAST BREEDER REACTOR (LMFBR) DEVEL- 
OPMENT PLAN, v. 1. [Ref. 1]). 

The LMFBR Development Plan [Ref. 1] presents the state-of- 
the-art advances required by the much harsher environment character - 
ized by higher neutron and gamma fluxes, higher temperatures, and 
liquid metal coolant. These documents indicate that current levels of 
technology are unsatisfactory in almost all areas and that concurrent 
research is being pursued. References 6-9 indicate some of this 
research with respect to reactor instrumentation. Reference 6 dis- 
cussus the test facilities required and efforts to upgrade test environ- 
ments from 700 F to 1400 F, 10° nv thermal-neutron flux to 10a8 nv 
fast-neutron flux, and 104 R/h to 10° R/h gamma flux. Research 
efforts in sensor development for temperature (thermocouples), 
neutron flux, flow, pressure, level, and strain are also discussed. 
Reference 7 discussus a possible microwave temperature Sensor con- 
figuration. Reference 8 reports work on in-core, self-powered, fast- 
neutron flux monitors. Reference 9 discussus the problems of radia- 
tion induced noise on electrical signal cables. The varying approaches 
taken by the researchers indicate that optimum instrumentation tech- 
niques are yet to be proven. 

The exact configuration of the reactors and controls, and the 
methods of detecting, transmitting, and utilizing various parameters 


are undetermined. This situation forces the use of assumptions of 
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most likely future conditions. Published feasibility studies have pro- 
vided insight into probable reactor jacrsae and those parameters 
required to be measured and used for safety considerations. Refer- 
ence 10, a good example of such a study based on the estimated state 
of the technology in 1980, proposes a 3-loop, double heat exchange,, 
1150 F, 2415 Mwt, 43% efficient plant, with a fuel doubling time of 
14.3 years, anda core lifetime of 605 full power days. Direct digital 
control is proposed for many operations in the plant, including safety 
syStem backup. Figure one illustrates the referenced concept of the 
plant control system, primarily analog. The importance of the figure 
to this work is its use as an illustration of typical relationships among 
control parameters. Figure two shows the referenced plant"s gross 
relationship between the control systems of figure one and the digital 
computer. The analog safety monitor system operates as part of the 
"Nuclear Safety and Control System" to provide safety actions if para- 
meter limits are exceeded. An important point not clear in the figure 
is the required independence of the nuclear safety and nuclear control 
systems. Functions which initiate safety shutdown are: 

1. high outlet temperature 

2. high start up rate 

3. high power level 

4. low flow rate 

9. low coolant level 

6. high neutron flux/flow rate 


7. turbine generator trip 
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8. loss of feedwater 
9. loss of heat sink 
10. loss of vital instrument power 
11. manual trip 
Reference 10 is not a final study and does not develop the hardware to 
accomplish the objectives. 

The safety criteria discussed in the various publications are all 
based on the concept of preventing a power excursion or other event that 
could damage the core and release activity to the coolant or atmosphere. 
From this concept, several criteria pertinent to this investigation have 
been developed: 

1. The nuclear power plant protection system shall, with 
precision and reliability, automatically initiate appropriate 
protective action whenever a plant condition monitored by 
the system reaches a pre-set level. 

2. Components and modules shall be of a quality that is con- 
sistent with minimum maintenance requirements and low 


failure rates. 


3. Channels that provide signals for the same plant protective 
function shall be independent and physically separated. 


4, Any single equipment failure within the protective system 
shall not prevent proper protection system action when 
required (single failure criterion). 

These criteria have resulted in multiple safety channels, multiple 
power supplies, and required periodic testing of safety channels. 
References 11-15 discuss many of these concepts in detail. In any 


case, each individual reactor installation must be reviewed and 


approved by the AEC prior to operation. 


iz 





Presently, analog safety systems provide the proper isolation 
and redundancy for a safety system but suffer from additive errors 
due to the Series arrangement of components; widening the margin 
between an allowed indicated condition and allowed actual condition. 
Since multiple adjustments are provided in analog channels, they 
must be regularly checked to ensure that they are still within allowed 
tolerances. A digital form of data transmission appears to be capable 
of providing channel Separation, and yet can both reduce the number of 
error introducing components in the safety circuit and be made largely 


self-checking. 
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Ik. OBJECTIVES 


Consideration of current practice in reactor control design, 
digital techniques, and safety criteria, coupled with anticipated 
requirements [Refs. 1-5, 10, Appendix B], led to the conclusion that 
some digital technique should provide a reliable and acceptable safety 
monitoring system for the LMFBR. Figure 3 illustrates the overall 
approach taken by this investigator in developing such a safety monitor 
system. Two basic concepts were incorporated. One concept was to 
have each safety parameter channel and its monitor module indepen- 
dent of the others and to have each channel comply with the conditions 
required in Sec. [I B, ASSUMPTIONS, and Sec. Il C, CRITERIA FOR 
IDEAL PERFORMANCE, of this report. The other concept was to 
provide a redundant and independent program module that would con- 
trol the operation of the various monitor modules yet maintain their 


individual independence. 







Parameter 1 N Digital Monitor Module Parameter N 
Signals [Fig. 8] Signals 
Program 
|__|: «Module =e ww: 
Monitor (Redundant) Monitor 
Module [Fig. 4] Module : 
Safety Control Control Safety 
Action Inputs Inputs Action 
Outputs Outputs 


Figure 3. OVERALL APPROACH TO A DIGITAL SAFETY MONITOR 
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A. OBJECTIVES OF THiS (NVEoliGAticnN 


The objective of this investigation was to provide the following 


within the framework of LMFBR operation: 


1. 


Compare the characteristics of sequential-step stored- 
program design with sequential-step hard-wired design 
of a monitor within the framework of speed, program 
hardness, and separability of channels. 


Design a solid-state program module that would replace 

a stored program, maximize parallel-parameter opera- 
tion of the safety monitor, and provide for field program 
changes. 


Determine how closely this solid-state program module 
satisfied the ideal monitor criteria. 


Demonstrate, by designing a digital monitor module, a 
digital method of monitoring one safety parameter. Investi- 
gate the extent to which safety channel separability, self 
test, and abnormal operation determination could be main- 
tained in this one parameter channel. 


lei ASSUMPTIONS 


Since the LMF BR was undeveloped, assumptions were required 


to provide a framework for investigation: 


1. 


The LMFBR configuration of Ref. 10 was to be used. 
Pertinent details of the configuration are listed in the 
introduction. 


On-line digital computer control would be used. 
References 16-23 support this contention and discuss 
sampled-data techniques, optimal control, and several 
presently-installed digital control systems. 


The control computer, though separate from the safety 
system, would have the safety limits programmed. 


The environmental and performance requirements of 
Appendix B must be met. 
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A separate monitor unit for safety parameters would be 
used in addition to the on-line control computer to provide 
two independent mechanisms for actuating the safety shut 
down system. 


CRITERIA FOR IDEAL PERFORMANCE 


Ideally this monitor should satisfy the following criteria: 


Ie 


10. 


Operate with sufficient speed to protect the LMFBR. 
Reference 10 mentions a minimum delay of 100 msec. 
with 200 msec. more probable. 


Maintain reactor protection if control computer fails. 


Monitor failure should not prevent the control computer 
from initiating reactor shutdown. 


Be compatible with control computer operation. 
Have a program that: 

a. Is hard under all operational conditions. 

b. Can be changed without disturbance of wiring. 
Be more reliable than the control computer. 
Detect its own abnormal operation. 


Operate without large storage requirements or need for 
external devices such as tapes. 


Provide a means to change safety limits easily for plant 
maintenance. 


Be modularized to minimize downtime. 
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III]. COMPARISON OF SMALL SEQUENTIAL-STEP 
STORED-PROGRAM AND HARD-WIRED COMPUTERS 

The general public acceptance of minicomputers for dedicated 
control and monitoring applications prompted an investigation of the 
utility of these machines with respect to LMF BR safety monitor imple- 
mentation. The literature describing these machines emphasizes 
reliability, low cost, expandable configuration, and custom-tailored 
functions. All of these assets would be pertinent to LMFBR utiliza- 
tion provided that speed, channel separation, and single failure criteria 


were met. 


A. IMPORTANT CHARACTERISTICS OF SMALL SEQUENTIAL 


STEP STORED-PROGRAM COMPUTER 

A small sequential-step stored-program computer (minicomputer ) 
stores its program and data in core memory and executes the program 
step by step at the register transfer level. Though some may use a 
read-only memory to control the arithmetic unit and registers, allow- 
ing several arithmetic operations or register transfers (Some simul- 
taneously) per core memory cycle time, the program steps are executed 
sequentially at the operation level; i.e., multiply, divide. The storing 
of the basic operations in a read-only memory is Sometimes called 


t! 


firm-wired.'' Typical cycle time is 1-2 microseconds for each simple 


operation (one read-write time). 
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The most important characteristic features that restrict the 


utility of these machines for the nuclear monitoring application are: 


1. 


Storage in the computer memory unit of both program 
Sequence and data. Inherently, the program and the 
data from the various safety channels in a reactor 
safety monitor environment are brought together, 
violating the philosophy of monitor channel separation. 


Common busses for data transfer. Again, one failure 
can effect both program and data if the bus is associated 
with the memory unit. One failure can effect data from 
all safety channels if the failure is associated with a data 
bus. 


Sequential data handling. In a small machine, no pro- 
vision is made for parallel handling of data from more 
than one source at a time. 


Requirements for external equipment to input the program 
if it fails or if safety hmits require changing. 


Checkout programs cannot be independently run in parallel 
with the main program. 


B. IMPORTANT CHARACTERISTICS OF SMALL SEQUENTIAL- 


pet PHAR D-WIREDeCOMPUTERS 


A small sequential-step hard-wired computer maintains its 


main program in its wiring or read-only memory thus eliminating a 


stored program. 


Important characteristic features: 


1. 


ae 


Can operate at faster speeds because a read-write cycle 
into core memory is not required to access the program. 


Retains sequential steps for the main program. 


Simple machines tend to retain common data busses and 
a single arithmetic unit. 
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4. Expansion to provide parallel data handling appears to be 
eaSier to accomplish than with a primarily software machine. 


9. The wiring or hard memory must be changed to change the 
program Sequence. 


6. Application of the single failure criterion requires multiple 
hardware. 


7. Test programs either result in interbus connections, 
destroying channel Separation, or must be externally applied. 


=. COMPARISON AND CONCLUSION 

Comparison of the characteristics of stored-program design with 
hard-wired design led to the conclusion that a small stored-program 
device was unsatisfactory and to the search for a device that would 
utilize the desirable features, such as higher speed and a hard program, 
of a hard-wired computer, improve the ability to provide for simultane- 
ous parallel operation of independent steps, incorporate self-test while 
providing data channel isolation, and reduce the amount of hardware 
needed to provide redundancy. The result was the Program Module 


described in this paper. 
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IV. PROGRAM MODULE DESIGN 


Ay GENERAL CONSIDERATIONS 

The first tasks encountered in the design of the program module 
were the selection of suitable memory and micrologic systems. Par- 
ticular emphasis was placed on availability and variety of packaged 
functions, compatability between memory and micrologic, speed of 
Operation, temperature range allowed, and resistance to propagation 
of failures. A field-programmable, read-only memory (PROM) con- 
cept was selected because it offered a hard, but easily changeable, 
program in an integrated form. Transistor-transistor logic (TTL) 
medium scale integration (MSI) logic gates and setable counters 
(Registers) were selected because they appeared to provide a wider 
range of packaged complex functions and higher speed than the metal- 
oxide-Semiconductor (MOS) type logic. Other attributes of TTL are: 
a wide range of allowed operating temperature (-55C to +125C), input 
diode clamping to reduce line-noise reflections, and a wide variety of 
Speed and power specifications. 

The program module for the monitor [Fig. 4] was based on the 
concept that some parameters must be monitored at shorter periods 
than others, such that the longer monitor periods could be made some 
multiple of the shortest one. This allowed a simple synchronization 


scheme with longer-period events inserted at the appropriate time. 
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Appendix B supports this concept. It was possible then to make each 
monitor event or test Sequence a Subroutine that could be called at the 
proper time. Two clock frequences were required; one at the sub- 
routine operating frequency and one to synchronize the shortest moni- 
tor period. The output of the subroutine PROM consisted of dedicated 
bits, confining the effect of a bit failure compared to the effect if 
decoders were to be uSed in conjunction with the PROM output. The 
dedicated bit concept allows the system designer a great deal of lati- 
tude in the use of parallel and concurrent monitor events and in the 
use of feedback within the control module to control subroutines of 
varying lengths. 

The problem of electrical and physical ieeiatien was solved by 
application of photo-isolators to the subroutine PROM outputs. A 
photo-isolator is a packaged unit consisting of a light-emitting diode, 

a photo-sensitive transistor or reverSe-biased diode, and a clear 
insulator between them. The only connection between the input and 
output is light. 

The output of the diode-transistor type photo-isolator is com- 
patable with TTL inputs but the signal rise and fall times are much too 
long (5-20 microseconds) to be useful in this application. The output of 
the diode-diode type photo-isolator is not directly compatable with TTL 
inputs. A MOS input-TTL output buffer has been developed that oper - 
ates at TTL voltage and reduces propagation delay to the .05-.1 micro- 
second range. This device allows the use of the diode-diode photo- 


isolator configuration. 





EB. DESCRIPTION OF A PROGRAM MODULE [Fig. 4] 
1. Subroutine PROM (RS) 

The subroutine PROM (RS) is a 1024 word x (N+2} bit PROM 
where N is based on overall monitor requirements. With the excep- 
tion of the two feedback control bits, the output of RS is arbitrary and 
each bit is dedicated to some function to be performed. Feedback bus 
RSA-holds a logical ''1"’ only when that word is the last word of a sub- 
routine, and feedback bus RSB holds a logical '1" only when that word 
is the first word of a subroutine. A subroutine may be of arbitrary 
length but must be at least two words long. Propagation times in the 
feedback paths also require that, at the 10 MHZ clock frequency, each 
Subroutine be at least two words long. The longest propagation time 
is in the PROM itself and is limiting; considering that faster counters 
and logic gates exist. 

2. Subroutine Address Register (SAR) 

The subroutine address register is a ten bit binary counter. 
During a subroutine the counter counts up one count each clock pulse; 
incrementing the address of RS by one. At the end of a subroutine, 
logic into the CET and PE (active low, parallel enable) inputs causes 
incrementing to stop and, when conditions pre-determined by logic on 
bus RPB are met, the first address in the next subroutine to be entered 
by parallel input from the program PROM-RP. Since only eight parallel 
input lines are available in the basic configuration, the number of pre- 


set addresses is only one fourth of the total number of addresses in 
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SAR and RS. Two hundred fifty six Separate subroutines seem to be 
adequate, considering that PROM dedicated bits may be used regard- 
less of the subroutine involved, but, if more subroutines were 
required, the PROMs and registers could be expanded. 

3. Program PROM (RP) 

The sequence of subroutines is stored in PROM-RP (256 
words by 12 bits) and sequentially executed. An eight bit bus, RPC, 
contains the start address of the next subroutine, a three bit bus, 
RPA, contains the number of times the next subroutine is to be 
repeated prior to going on, and a one bit bus, RPB, contains a logical 
"Q' if the start of the next subroutine must be synchronized with the 
Sync input. Since the main program and the subroutines are contained 
in different PROMs, they can be changed independently. 

4. Program Count Register (PCR) 

The program count register [Fig. 6] is a four bit binary up/ 
down counter that counts down, being clocked by bits on bus RSB; 
therefore, one count occurs per Subroutine. When 0000 is reached 
the terminal-count-low or borrow gate enables the program address 
register PAR. At the start of the next subroutine, PAR is incremen- 
ted and PCR goes to 1111 (binary). After the first step of the sub- 
routine, PCR receives parallel inputs for the number of repeats of 


the next subroutine. 
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5. Program Address Register (PAR) 

The program address ee is an eight bit binary counter 
Similar to SAR. It is enabled by the PCR terminal-count-low gate and 
uses the RSB output as a clock. 

6. Enable Logic for the Subroutine Address Register (SAR) 

(PE) = (RSA - (RPB+SYNC)) - i.e., parallel entry is 
permitted only at the end of a subroutine and, if required by RPB = "0," 
at a sync pulse. 

(CET) = (SYNC +RPB+RSA) - i.e., both counting up and 
parallel entry are inhibited at the end of a subroutine unless conditions 
for PE are met. These gates are constructed as shown in Fig. 5 and 
consist of one standard MSI chip each. 

7. Reset Circuitry 

The reset circuitry consists of two elements. Upon initial 
turn-on or recovery of voltage, one element (low-voltage reset) resets 
the PAR, resets the SAR, and enables the parallel input into the PCR. 
Upon encountering a 111 (binary) on bus RPA (end of programmed 
portion of program PROM), the second element (end-of-program 
reset) resets the PAR only. The low-voltage reset may consist of a 
delay device to hold the resets and parallel enable low until after Vcc 
has risen. The end-of-program reset consists of a simple three-input 


NAND gate. 
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Cc. FAULT TREE OF A PROGRAM MODULE 
Table I shows the symbols used “i constructing all fault trees 
in this paper. Figure 7 is the fault tree of the control module. 
1. Power Supply Failures 
Power supply failures were not included in the control 
module fault tree because a loss of voltage would cause the control 
module to reset and a catastrophically high voltage would cause burn- 
out of the light-emitting diodes in the AO osinanee Ss, having the 
same effect as a reset. Provision is made in the digital monitor 
module construction for voting inputs from three parallel program 
modules; thus preventing a single failure of a program module from 
inhibiting monitor operation. 
2. Analysis with Respect to the Single Failure Criterion 
Review of the fault tree of the program module revealed that, 
while the module contains several feedback paths, the effect of any 
fault is to prevent proper output; hence a serial fault tree and implied 
Serial consideration of reliability. The serial nature of faults dictates 
redundant program modules to satisfy the single failure criterion 
[Ref. 14] which states that no single failure may prevent reactor shut 


down. 


D. TEST REQUIREMENTS FOR THE PROGRAM MODULE 
self-test circuitry in the program module cannot test the connect- 
ing wiring between the program module and monitor modules and per- 


forms little function not tested elSewhere. It also tends to reduce both 
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the dedication of PROM-RS dedicated bits and the reliability, due to 
Peed complexity, of feedback paths. It was decided, based on 
these deleterious conditions, coupled with the simple implementation 
of redundant program modules, to provide for testing at the monitor 


module level. 


E. COMPUTER MODEL OF THE PROGRAM MODULE 

Operation of the program module was tested using a digital 
computer model [Appendix C]. The functional requirements for the 
reset circuitry were developed using this model. The model verified 
that the program module configuration of Fig. 4 operated in the 


desired manner. 
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V. DIGITAL MONITOR MODULE DESIGN 


This section describes the design of a Digital Monitor Module 
whose function is, under the control of the program module, to: com- 
pare four independent digital signals representing a safety parameter 
with a digital representation of the parameter limit and provide two 
independent shut down signals if three of the four incoming signals 
exceed the parameter limit. The module test facilities provide for 
functional test of the module and, coupled with other monitor modules, 


the program modules. 


A. GENERAL CONSIDERATIONS 

In a four-parameter channel, the detectors are usually grouped 
into two sub-groups for power source and signal channel considerations 
as shown in Figure 8 Each sub-groupis powered from at least two 
independent sources determined by the overall plant design. Detectors 
A and C would be associated with power bus 1 and signal channel I,. and 
detectors B and D would be associated with power bus II and a signal 
channel IJ. Reference 14 requires that Channel I and associated cir- 
cuitry must be physically and electrically isolated from channel IT and 
its circuitry, yet at some point the signals must be combined to provide 
two independent safety shut down (SCRAM) channels, each representing 
a combination of data from all four sources. The inability to provide 


electrical isolation using integrated circuits Severely limits the use of 
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such circuits in the logic design of such a channel. The moadule design 
effectively copes with that hmitation. 

The portion of interest of Figure 8 is inside the dotted lines, 
and consists of the comparater modules and scram logic modules.. 
These modules, while independent, are controlled by redundant pro- 


gram modules. 


B. SPECIFIC DESIGN CHARACTERISTICS EMPLOYED 
1, Comply with the philosophy of separation of scram channels.. 
2. Incorporate integrated circuits to the extent that the failure 
of one IC does not interrupt both safety signals in a signal 


channel. 


3. Indicate an unsafe reactor condition upon loss of power to 
the module or component that processes a signal. 


4, Prevent the propagation of device failure throughout the 
monitor. 


DD. Be amenable to some periodic test to detect a device 
failure indicating a safe reactor condition. 


6. Provide for adjustment of parameter limit setpotnts. 


<. DESIGN CHOICES 

The comparator module [Fig. 9] shows the result of several 
comparisons of techniques. One comparison was among techniques 
for presenting the parameter limit. Three techniques were considered. 
The first technique was to enter the parameter into a ROM that had an 
output of "0" or ''1'' depending on whether the parameter Hina eee 
been exceeded. The second was to store the parameter limit in a core 


memory and compare it with the parameter measured. The third was 
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to enter the parameter limit in a local thumbwheel register and have 

it continuously available to the comparator. This last alternative was 
chosen as the most practical because the limit was easily changed,,. it 
complied with channel separation, and required no data transfers from. 
a common core memory. 

Another choice concerned at what point to combine the signal 
from the four detectors; i.e., the choice of using one of the following 
as signals into the scram logic modules: 

io A, B, GoeD (INDEPENDENTLY) 

ee) A ‘Gaels, Beep B+D 
Choice 2 simplified the logic in the scram logic module and reduced 
the number of ICs there, possibly improving module mean-time-ta- 
failure (MTTF); however, the added circuitry in the comparator 
modules negated that MTTF improvement with respect to the overall 
channel. A Second flaw in choice 2 was the transmission of combined 
Signals to the scram logic modules. An JIC failure a the eo aanpe 
module could interrupt some combination of both signals from a signal 


channel; therefore choice 2 was rejected. 


1). DESCRIPTION OF A COMPARATOR MODULE (COM) 

As shown in Figure 9 the complement of the parameter reference 
from a thumbwheel register is directly compared with ~ digital para-— 
meter signal complement. If the signal is smaller, its ee. 1S 
larger and a logical "1" is gated to a TTL buffer. If the signal input 


1s interrupted or supply voltage to the comparator is lost, an unsafe 
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Condition (logical ''0'') is gated. The buffer has the capability of sink- 
ing larger light-emitting diode turn-on surge currents than standard 
TTL devices can. This reduces light turn-on time and increases 
response speed of the photo-isolator. Light turn-off time does not 
appear to be a function of a surge current. ‘The buffer output drives 
two photo-isolators whose light-emitting diodes conduct when a safe 
condition is indicated. The photo-isolators provide independent, 
electrically isolated, single-parameter signals to each of the scram 
logic modules. This is the feature that enables digital IC devices to 


be used in a monitor module. 


E. PROGRAM INPUTS TO THE COMPARATOR MODULE 

The study of comparator module failure modes led to the reali- 
zation that not only must the module conform to the single failure 
criterion, so must the control inputs from the program module since 
one program module provides inputs to both channels on a comparator 
module. 

Consideration of some technique of comparing program module 
parameters to determine which of multiple inputs to use as controls 
for the comparator module led to the conclusion that comparison be- 
tween program module parameters at the program module level 
destroyed electrical independence and that the most fruitful concept 


was to employ two out of three majority voting logic at the comparator 
control input level. Using this technique, a single failure of a control 


module or of a control line to a comparator module would not inhibit 
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operation. The use of photo-isolated program module outputs to the 
comparator module necessitates the use of a MOS-TTL buffer as the 
voting circuit. Since a failure in the three control lines to one section 
of a comparator module will not feed back to the program modules and 
inhibit their operation, those lines can be considered to belong to that 
comparator module section. A common mode failure of the control 
lines can be considered to be the same as a failure of that section of 


the comparator module. 


ifs DESCRIPTION OF A SCRAM LOGIC MODULE (SLM) 

The Scram Logic Module shown in Figure 10 combines isolated 
logic signals to give the function: SCRAM = ABC + ABD + BCD + ACD. 
Catastrophic failure of one SLM cannot be propagated to the other 
modules of the digital monitor. Diode isolation prevents propagation 
within the SLM of a short between two inputs of the AND-OR-NOT 
gate; thus enhancing the fault tree analysis and minimizing the loss of 
function. A aa ectouiie failure to the entire module may cause loss 
of that scram channel. If one signal input channel fails in a no-scram 
condition, all other channels must operate; therefore, Some periodic 


test for failure in a no-scram condition is required. 


G. FAULT TREE OF DIGITAL MONITOR MODULE 

Figure lla is the fault tree of the digital monitor module from 
final output to the driver inputs to the photo-isolator stages on the COM. 
Figure 11b is the fault tree for the COM prior to the photo-isolator 


inputs. 


37 





1. Power Supply Failure 

Power supply failures were not accounted for in this analysis 
because a voltage loss to either the COM or SLM would insert a signal 
tending to cause reactor shut down. The effects of a catastrophically 
high voltage were uncertain; however, one event that would occur is 
photo-isolator light-emitting diode burn-out. The cessation of emis- 
sion would transmit a signal tending to cause reactor shut down also. 

_ 2 Wiring Faults 

The term ''wiring fault" as used in the diagram refers to 
the worst-case scram-inhibiting casualty to the particular connecting 
wires or printed circuit; i.e., the only wiring fault applicable to the 
output wiring of the SLM would be a short to Vcc. Opens, grounds, 
or very high voltage would result in a shut down signal. 

3. Compliance with the Single Failure Criterion 

Review of the fault tree for the monitor module itself indicated 
that no single failure within the module could prevent eeaeler Shut down. 
The minimum number of failures required was two independent ones, 
one of the output portion of each scram logic module or of each of two 
comparator circuits. The use of buffers and diode isolation has mini- 
mized propagation of the effects of anIC failure. Reference 25, p.4-7 
States that the testing program for the Advanced Multi-Function Array 
Radar (AMFAR) revealed that failure of TTL integrated circuits, such 
as proposed here, do not seem to propagate. In that case, sevenIC 


chip failures not corrected by design occurred in 11.2 million operating 


38 





hours. No failures propagated to other circuits either on the same 


chip or connected to the failed circuit. 


ise TEST REQUIREMENTS FOR THE MONITOR MODULE 

In-service test procedures must identify circuit failures and 
localize their location at least to the module concerned. The follow- 
ing procedures were adequate to locate defective modules: 

1. Turning off the voltage to one program module and inserting 
unsafe eons into the comparators, one at a time, functionally 
tests both remaining program modules, the comparator module, and 
the interconnecting wiring to the scram logic module. 

2. Inserting unsafe conditions into two comparators will 
functionally test the scram logic modules. 

While these tests may be automatic or manual, it is considered 
that the inherent redundancy and high mean-time-to-failure preclude 


the need for automatic testing. 
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Viz RELIABILITY CONSIDERATIONS 


While a reactor safety channel may be considered a sub-set of 
a general control system, the emphasis of performance and reliability 
considerations in a reactor safety channel is differentiated from that 
in a reactor control system because of the differences in method of 
determination of parameter state and in the desired state after control 


action is performed. 


A. RELIABILITY CONSIDERATIONS IN A CONTROL SYSTEM 

In a reactor control system, the desired new state and best resul- 
tant action to get there are dependent upon the present reactor state and 
input demands as well as determination of whether or not the reactor 
state is safe. One example is the situation where a parameter is 
sensed by four detectors and one has failed such that an unsafe condition 
is indicated. The control system must reliably estimate actual reactor 
state based on those four signals, along with many others, and may well 
decide that the failed signal will be discarded for control purposes. If 
the spread in values of the four signals is great enough, the control 
system may not be able to decide which signals are correct and pro- 
vision must be made for this possibility. Reference 24 presents the 
same problem in an aircraft control system. In the aircraft though, 
when system state is unclear, pilot override is provided and no action 


or neutral control surface position seems to be considered safer than 
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some positive action because the operating conditions of the aircraft 
are too varied to incorporate in the control model. Reliability con- 


siderations in a control system are not considered in this paper. 


B. RELIABILITY CONSIDERATIONS IN A SAFETY CHANNEL 

The action of a nuclear safety channel is to place the reactor 
in a previously determined safe state if a parameter exceeds a pre- 
determined limit. The limit is calculated allowing for anticipated 
channel errors. 

Primary emphasis in the design of the safety channel is placed 
on the concept that a single failure will not prevent placing the reactor 
in a known safe state. The safe state, being pre-determined, usually 
means shut down and will be so considered here. From a safety 
standpoint, though perhaps inconvenient, it is acceptable for a single 
signal or component failure to cause a shut down even though actual 
reactor conditions are satisfactory. A safe condition in this context 
is usually inconvenient to the operator. In order to provide assurance 
that a single failure will not prevent shut down, multiple signal and 
safety shut down channels are used. In order to provide continuity of 
operation, voting logic such as one out of two, two out of three or 
four, or three out of four is used. Design effort is used to cause 
most signal or device failures to be self-indicating. Periodic tests 
are used to detect failures that are not self-indicating. 

Because the safe reactor state is pre-determined and the safety 


system 1s not tasked with the responsibility of determining the exact 
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state of a parameter, reliability analysis of a safety channel may be 
reduced to two separate analyses: 
(1) probable lifetime of components and connections until one 
failure occurs (MTBF). This time must exceed the test 


interval. 


(2) fault tree analysis to show that any one failure cannot prevent 
safety shut down. 


For the MTBF of a safety channel, consideration of the series 
combination of all components and time between single failures, rather 
than failures that would inhibit shut down, is the most conservative 
approach. If this arrangement can be shown to be acceptable, then 
any series/parallel redundant arrangement using the same number of 
components and connections would be acceptable also. 

A MTBF of any failure of 3000 hours or about three months 
continuous operation of an entire monitor channel was selected as an 
arbitrary minimum based, not on state-of-the-art, but on presuming a 
monthly test sequence to assure that proper attention is given to the 
monitor. 

Reliability data for circuits of similar complexity and high 
quality materials to those incorporated in this design [Ref. 25] gave 
an in-use estimated microcircuit failure rate of no more than. 192x107° 
failures/hour. Actual operating results were 7/11. 2x19T6= .625x1078 
failures/hour. 

To find the serial failure rate of a module the component failure 


rates are added. The failure rate per mating of plugs was not included 


since unplugging modules was not considered to be a normal operating 
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procedure. The results of these calculations,as given in Table 0, 

indicate that a 3000 hour test interval is reasonable and that, since 
the program module has no redundant parts, yet has a much higher 
failure rate than the monitor module, a redundant program module 


should be provided for an operating installation. 
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Vil. CONCEUSIONS 


As a result of this investigation, Several conclusions were 
reached. Some were basic to the initial goal and some became evident 
as techniques for implementing the circuitS were considered. 

A. The design indicates that a ROM circuit using isolated out- 
puts--such as the program module--can perform the program functions 
of a hard-wired Sequential controller with an apparent reduction in size 
and complexity. 

B. The meeting of isolation requirements shows that the reactor 
safety system Single failure criterion can be met using TTLICs and 
photo-isolators in the safety circuit. 

C. External performance monitors tend to reduce independence 
of redundant circuits, such as the program module, and ws logic 
downstream of the photo-isolators performs the same 7 while main- 
taining redundant module independence. 

D. Photo-isolation should be accomplished at signal branch 
points and should form the upstream terminus of the branch path. 

EK. Automatic self-test is not always required if enough redun- 


dancy is provided. 
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A BPE N Dix se 


INTRODUCTION TOM HE EIOUrD Nit hie 
BREEDER REACTOR OVERALL PROGRAM PLAN [Ref. 1] 
The following remarks are quoted from Ref. 1. 

"The Liquid Metal Fast Breeder Reactor (LMFBR) Program has 
been assigned the highest priority in the Atomic Energy Commission's 
(AEC) broader program for the development of civilian nuclear power. 
The primary objective of the civilian power reactor development pro- 
gram in the United States is widespread use of nuclear energy for the 
production of heat and electricity with full exploitation of the energy 
available in our resources of uranium and thorium. The AEC's objec- 
tive also includes fostering the development of a self-sufficient and 
competitive nuclear industry. The need for a power reactor that can 
fully and economically exploit the energy reserves contained in uranium 
and thorium was recognized in the ‘Civilian Nuclear Power--A Report 
to the President--1962' which stated: 

The overall objective of the Commission's nuclear power 

program should be to foster and support the growing use of 
nuclear energy, and importantly to guide the program in 

such directions as to make possible the exploitation of the 

vast energy resources latent in the fertile materials uranium- 
238 and thorium. 

The breeder is needed because it Serves the above objective by: 


providing the most efficient means of exploiting the energy available 


in uranium; minimizing the quantity of uranium consumed per unit of 
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electricity generated; providing potential for low fuel costs; extending 
ore reserves manyfold by increasing The utilization of uranium 
recovered from ore; and ois a more effective use for plutonium 
produced in light-water reactor plants. The 1962 Report to the Presi- 
dent includes a detailed discussion of the place to be occupied by the 
breeder in the overall program. 

The 1967 Supplement to the 1962 Report to the President estab- 
lished the following specific objectives: (1) 'The development of 
improved converter and later breeder reactors to convert the fertile 
isotopes to fissionable ones, thus making available the full potential 
of the nuclear fuels;' and (2) 'The early establishment of a self- 
sufficient and growing nuclear power industry that will assume an 
increasing share of the development costs. ! 

In the breeder-reactor concept, excess neutrons produced in the 
process of generating nuclear power by fission are used to produce 
more fissionable material than is consumed. The fissionable isotopes 
U-233, U-235, Pu-239, and Pu-241 all produce more neutrons than 
are needed to maintain a nuclear chain reaction in power reactors. 
Reactor designs for large central-station power plants are arranged 
so that these excess neutrons are absorbed either in U-238, leading 
to the production of Pu-239, or in thorium, leading to the production 
of U-233. Of the four fissionable isotopes, only U-233, Pu-239, and 
Pu-241 produce sufficient neutrons to allow the possibility, in practical 
power reactors, of producing more fissionable material than is 


consumed. 
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The plutonium isotopes produce the most excess neutrons when 
used as fuel in a fast-neutron reactor, and cycles using U-238 asa 
fertile material and mixtures of Pu-239 and Pu-241 as a fissile material 
form the basis of the LMFBR Program. The isotope Pu-241 is formed 
from Pu-239 through an intermediate isotope, Pu-240, which plays the 
role of a subsidiary fertile material. The thorium-U-233 cycle is the 
basis for breeding by usingthermal-neutronreactors, but this cycle has 
received relatively less emphasis in fast breeder reactor development 
because the potential breeding gain is less than for the plutonium- 
uranium cycle. 

The fast breeders of major interest are divided into three cate- 
gories: sodium-cooled, gas-cooled, and steam-cooled. The sodium 
cooled fast breeder has been established as the priority program on 
the basis of potential economy, probability of successful development 
interest by reactor manufacturers, and technological experience gained 
in the United States and abroad. Sodium has a combination of advanta- 
geous Characteristics: 

(1) Good nuclear properties, helpful in attaining high breeding 
ratios 

(2) A high boiling point, allowing high-temperature operation 
at low pressure--with resultant good plant thermal efficiency without 
the necessity for thick-walled reactor vessels 

(3) Excellent heat transfer, making possible achievement of 


high specific power and hence low doubling time and fuel cycle costs 
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(4) A large heat capacity, allowing time for corrective action in 
the event of a power transient or loss of coolant flow 

(5) Low pumping power and relative lack of corrosion in the 
absence of air and water. 

The Program Plan has been developed to lay out the course of 
action for achieving the objectives of the LMF BR Program. The Plan 
consists of ten sections, each in a Separate volume. Volume 1 pre- 
sents the Overall Plan. Each of the other nine volumes treats a 
Specific area of the technology in depth by presenting: the objectives 
to be attained, an evaluation of the state of the art, and the tasks to 
be carried out to reach the objectives. This Overall Plan describes 
the scope of each of the nine sections, referred to as Program elements, 


and the relationships between them. "' 
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APPENDIX B 


LMFBR PERFORMANCE REQUIREMENTS AND 
DATA WORD LENGTHS 


The following Performance Requirements and resultant binary 


word lengths required for data transmission were derived from 


Reference 3, p. 185-294. Binary word lengths include three extra 


bits for maintenance of accuracy: 


1. 


SENSORS FOR THE DETECTION OF NEUTRONS IN AND 
NEAR THE CORE 


Counter Sensitivity 100° 100 > (@rey ee 
Current Sensitivity toe =e Avia 
Neutron Flux iQ =10 one 
Range 2 or more decades 
BITS for Two Decades Range 10 


Arbitrary 1% Accuracy 


- SENSORS FOR THE DETECTION OF NEUTRONS OUT OF CORE 


Counter Sensitivity >0.7CPS/nv 

nee -14 
Current Sensitivity >10 ° A/nv 
BITS for Two Decades Range 10 


Arbitrary 1% Accuracy 
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TEMPERATURE SENSORS FOR GENERAL USE 


Range 300-1400 F 

Accuracy + 1% on line (+ 1Ftest) 
Transient Range to 2000 F 

Response Time unknown 

Thermal Shock max rate 100 F/sec 
BITS for 1 F in 2000 F 14 


TEMPERATURE SENSORS FOR USEIN FUEL 


Work is in progress to discover a device that will survive the 


radiation environment. No specifications are set. 


a. 


SODIUM-FLOW SENSORS FOR USE ON FUEL ASSEMBLIES 


Accuracy + 10% of full range 
Sensitivity 1% of full range 

Time Constant 1/2 second or less 
Expected Flow Rates 150 gal/min to 600 gal/min 
BITS for 1% Sensitivity 10 | 


SODIUM-FLOW SENSORS FOR USE IN PIPES 


Accuracy + 5% of actual flow 
(above 10% flow) 


Dynamic Range 10:1 to 100:1 
Flow Range 0 to 120,000 gal/min 
BITS for 5% Accuracy 8 
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10. 


PRESSURE SENSORS FOR USE IN OR NEAR CORE 

Range: 0-15 PSI, absolute and gage pressure. 

0-20 in through 0-400 in water column, differential pressure. 
PUR POSE ACCURACY TIME CONSTANT 
Safety + 3.0% <0.1 sec 


a 10.0% dynamic <0.001 sec 


Plant Control + 0.5% < 10.0 sec 
+ 3.0% <0.1 sec 
Bit Ss tens0n0 oF ccuracy 11 


PRESSURE SENSORS POR USE ON PIPES OR VEsobls 
Same as item 7. 


PRESSURE SENSORS FOR USE ON FUEL ELEMENTS 


Range 0-300 through 0-3000 psi 
Drift < 0.1% full scale per week 
Response time <2 U lagna 

Bie tor 0.1% Accuracy 13 


SODIUM LEVEL SENSORS 


Range C2 iit. tor0-o0 sft. 
Accuracy + 1/2 in. to + several in. 
Response time 1 sec to 10sec 

BUS torsiginy sO tt 13 
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STRAIN SENSORS FOR USE ON PLANT, CORE, AND FUEL 


COMPONENTS 
Microstrain Range 
Drift 

Gage Factor 
Linearity 


BITS for 2000 “é 


+1lae Arbitrary 


o§ 


+ 2000 We 
<2.0 we/hr. 
=> as 

unknown 
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APPENDIX C 


MOMSTRATION CF THE DIGITAL PROGFAM MODULE 
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2. FLOW DIAGRAM OF THE COMPUTER MODEL 
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